Lines of code
<https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L653-L661>
There is a function that is intended to be used to recover ERC20 tokens that were sent to the WardenPledge contract by accident. The function is only usable by the owner and contains a check that no tokens can be taken which are currently whitelisted as reward tokens. However, the owner also has enough privileges to bypass that check and can instantly take all reward tokens that are part of currently running pledges.
The function to move out accidentally sent ERC20 tokens as described under #Impact is recoverERC20:
/**
* @notice Recovers ERC2O tokens sent by mistake to the contract
* @dev Recovers ERC2O tokens sent by mistake to the contract
* @param token Address tof the EC2O token
* @return bool: success
*/
function recoverERC20(address token) external onlyOwner returns(bool) {
if(minAmountRewardToken[token] != 0) revert Errors.CannotRecoverToken();
uint256 amount = IERC20(token).balanceOf(address(this));
if(amount == 0) revert Errors.NullValue();
IERC20(token).safeTransfer(owner(), amount);
return true;
}
It can be seen that it reverts if minAmountRewardToken[token] != 0, which means the token can be used during the creation of a new pledge and also that there might be currently pledges running with that token as a reward.
However, the owner can use the removeRewardToken function at will to βde-whitelistβ any such tokens, which would allow him to sweep all reward tokens with recoverERC20 right after:
function removeRewardToken(address token) external onlyOwner {
if(token == address(0)) revert Errors.ZeroAddress();
if(minAmountRewardToken[token] == 0) revert Errors.NotAllowedToken();
minAmountRewardToken[token] = 0;
emit RemoveRewardToken(token);
}
Manual Review
The text was updated successfully, but these errors were encountered:
All reactions